Failing client-certificate for wazuh-dashboard without a client connecting

498 views
Skip to first unread message

Andrehens Chicfici

unread,
Jul 24, 2024, 6:33:12 AM7/24/24
to Wazuh | Mailing List
Hey,
I am in the last steps of troubleshooting my wazuh-setup and I am running in the same error over and over. I have three clients that are accessing wazuh-dashboard. The certs are fine, no error messages and everything is looking fine.

But I do have a ssl3 error appearing randomly through the day that is appearing in my syslog:

Jul 24 12:12:06 wazuh opensearch-dashboards[928]: {"type":"error","@timestamp":"2024-07-24T10:12:06Z","tags":["connection","client","error"],"pid":928,"level":"error","error":{"message":"C0E7D2ACFF7E0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 46\n","name":"Error","stack":"Error: C0E7D2ACFF7E0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"C0E7D2ACFF7E0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 46\n"}

In my understanding wazuh-dashboard is not recognizing a client-certificate that is accessing the dashboard. But I am not accessing the dashboard with any other client then my 3 known ones. When I access with the 3 good ones, no error messages are thrown.

Is there a way of finding out WHICH client is trying to access? And are there other services known to access my dashboard? It happens 5 to multiple dozen times a day.

And why is it using SSL3? Isn't it standard to use TLS nowadays?

John E

unread,
Jul 24, 2024, 6:48:17 AM7/24/24
to Wazuh | Mailing List
Hello Andrehens,

I am currently looking into this.

Regards.

John E

unread,
Jul 25, 2024, 7:36:00 PM7/25/24
to Wazuh | Mailing List
Hello Andrehens,

Yes, you are correct, the errors appear when a client tries to connect to the dashboard with an untrusted certificate.
You can read more about this issue here and here.
To determine which other clients are trying to access your dashboard, i would like to know if your dashboard is running on a public IP address?
If it is, several random internet scans can be causing the log overflow.

Regards.

Reply all
Reply to author
Forward
0 new messages